Shulou(Shulou.com)06/01 Report--

The intelligence in network security can be divided into two categories: security intelligence (narrow sense) and threat intelligence. For specific users, security intelligence refers to what they have and what they can prevent; threat intelligence is what the other party has and what they can implement. That is to say, bosom friend and know the enemy.

The source of security information is mainly the configuration information of the system and the output of vulnerability scanning software, which provides security personnel with the most basic understanding of the existing system. At present, people are more concerned about threat intelligence, because people always pay more attention to others than they do.

Threat intelligence is actually the traditional intelligence in people's impression, so from the point of view of the timeline, it can be divided into early warning and evidence after completion. Early warning is used to guide security personnel to deploy protection, and evidence is used to trace the source. Furthermore, for APT***, the previous series of evidence is a follow-up warning and vice versa.

The main content of intelligence in security situational awareness includes collection and analysis. So where does the information come from? For security intelligence, in fact, it is to obtain the latest vulnerability information from the major vulnerability disclosure sites as much as possible and scan themselves as much as possible to determine whether their own system has vulnerabilities or whether it meets the corresponding security standards.

As for threat intelligence, in addition to getting enough reports and logs from your IDS, IPS, firewall, and anti-DDoS devices, you are also required to "take the initiative" to find some useful information. In fact, this is the problem of expanding intelligence sources. At present, various manufacturers do not have many channels, so intelligence sharing is very important and will have a bright future in the future. Of course, although the principle of intelligence acquisition is × ×, we must not use honeypot data like Norse-corp.

Intelligence analysis is the purpose of collection, and because the analysis results need to be provided directly to users, it requires us to extract something really valuable from massive data. At present, what is mostly realized in the industry is the visualization of intelligence content, showing the security loopholes and existing security vulnerabilities in the user's system in the form of charts.

Through a certain algorithm model, some manufacturers can directly identify and locate * *, and even predict the possible future *. In fact, this is an important goal of the situation awareness system-to predict the future development trend. However, the implementation of the function simply lists some strongly related log information in chronological order, or uses a simple algorithm to identify the person who is * *, then if the behavior of * * is repeated, or deliberately use some "stupid" operations to mislead, these features will not get the desired results.

Therefore, in the current situation that the accuracy of the results is not high, in a more moderate approach, we can appropriately put forward a concept of "clue". This is derived from the words often used in our lives, the police need to find clues to solve cases, writers also bury several clues, then we also need to find clues for the processing of information.

This clue is not only based on at least the comprehensive factors of target IP, * * IP and * * time, but also needs to add higher-dimensional motivation, behavior habits and other elements that can help to trace the source, which is technically realized by big data and neural network. The positioning of this clue function is weaker than prediction and identification, and it is easier for users to accept radical concepts such as prediction. On the contrary, it will receive more attention and get greater development.

Judging from the rearview mirror, all the * were taken for granted as we pushed forward with the results. To get rid of this hindsight, security situational awareness needs to find clues from huge amounts of data before it is launched, which depends on developers' strong and effective algorithms. Moreover, the principle of intelligence requirements is that it is better to misreport than fail to report. When users click on this function, they need to see you ask questions and answer ten rather than cleverly ignore some information. Of course, a more advanced implementation at a later stage is for users to be able to add filtering rules or even custom algorithms.

For a single organization or company, the key to the value of intelligence lies in the connection of intelligence, for the whole society, it lies in sharing, so the relevant standards and norms to promote intelligence data sharing also need to be gradually improved. In addition to the well-known CVE, CVSS, etc., CybOX, STIX and TAXII are also being vigorously promoted and widely concerned. I hope domestic manufacturers can also do something in this regard.

The way of information sharing also requires the joint efforts of all manufacturers in the security industry. we hope that some companies will take the lead in setting up a "opendata" community in the security community, adhering to the concept of "trusting others to be smarter", and publish some statistics and typical security events in an organized and standardized manner for use by all personnel in the industry, so as to help you analyze and achieve the goal of common improvement.

Furthermore, we need to look at people with appreciation, so we can even launch question-and-answer products such as sub-answers in the security world, where you can ask some security questions about the current situation of your system. Anonymous people are rewarded for their wisdom, which will greatly increase their enthusiasm for sharing. This approach is actually an extension of the competition, but it can enlighten us more quickly and more specifically.

Compared with the traditional espionage industry, network security information is not only very important, but also rooted in the red, in the ascendant, has attracted enough national attention. If it can be done well, it can not only contribute to the national information security strategy, but also attract all kinds of capital chase, enterprises will not need money, but also promote it for the benefit of the whole society. It is hoped that China's network security information industry can develop healthily and be in the forefront of the world.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.